A few years ago, when Tripwire was no longer free, I set up a "scan once" environment for ClamAV, identifying files using SHA1 hashing (with a few 'stat' results like inode and timestamp for good measure).
I gave up when I realized that even if a file had already been scanned, it might have contained "0-day" malware when it was scanned. This could make it quite nasty, especially if ClamAV is behind in 0-day detection. On Wed, 21 Mar 2018 16:56:06 -0700 Dennis Peterson <denni...@inetnw.com> wrote: > It is possible to integrate ClamAV and Tripwire to get to a scan-once > environment. Include puppet or CFEngine for a more complete tool. > > dp > > On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote: > > Good morning Tsutomu, > > > > Al is quite correct. clamd and clamdscan maintain no memory of > > what has been scanned before. > > > > In your ordinary use case, you simply run clamdscan over whatever > > you want to scan. You can exclude specific directories in your > > configuration if you want to point clamdscan at a high level > > directory to scan many items. > > > > In truth, I've never tried accessing the files as they were > > scanned, but I do not believe that there any reason why the files > > would be locked by ClamAV except in the following case. > > > > On newer versions of Linux that have been built with > > CONFIG_FANOTIFY=y enabled, you can configure clamd to monitor > > directories. An additional option may be enabled that we call > > "OnAccessPrevention" can intentionally block access to the file > > until it has been scanned and will deny access if the file is > > flagged. OnAccessPrevention requires your kernel has been built > > with CONFIG_FANOTIFY_ACCESS_PERMISSION=y. If you're interested in > > trying this out, please read > > http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html > > > > Sadly, OnAccess scanning and prevention only exist for Linux at > > this time. > > > > > > Micah Snyder > > ClamAV Development > > Talos > > Cisco Systems, Inc. > > > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
